2020 Breaches: Time to Protect at the Source

53%: Time to Protect Data at the Source

Remember when we used to say it was OK to build a security perimeter to keep attackers out of the corporate network? It goes without saying this isn’t valid anymore. So why do companies operate as if we can somehow keep attackers out of our host computers? If they’re in the network, they have access to host computers. That means sensitive information, stored on these host computers, is compromised.

Ultimately, it goes back to the practitioner who recognizes this is a problem but doesn’t get priority to address it. In most organizations, those in budgetary positions prioritize other matters well before the host application data problem. And for good reason: History shows us that, “proper” controls are expensive, intrusive, and not very effective.

But that was then, this is now.

SSProtect: Addressing Host Data Encryption Shortcomings

We started working on a way to effectively protect host application data and email back in 2014, mostly because we had this very need and couldn’t find effective solutions to the problem. Our primary goal was to assume host compromise and find effective ways to minimize data exposure while at the same time permitting authorized users easy and native access.

Integrated Workflows and Application Independence
To meet these challenges, we needed to provide protected end-user workflow integration, application and infrastructure independence, (continuous in-use protection, below), and high-performance scalability with reliable execution. Innovation took us the better part of the first couple years (2014-2015), and that formed the Foundation of our system with a strong protective posture and end-user flexibility. We have, in fact, offered our technology using a self-service model, though it can be integrated into Enterprise deployment facilities.

Multi-Party Consent Trust Model
Protection is based on a multi-party consent trust model. In simple terms, for each managed Version instance, SSProtect generates and uses an end-user key on the host, not exposed to KODiAC Cloud Services, while offloading host-protected content that KODiAC then encrypts again with its’ own isolated (cloud-stored) key. Results are then placed back on the host computer, which means an attacker can take the file but can’t decrypt content even if he/ she has pervasive access to all host material (without Impersonation, see below).

Inhibiting Remote Access Impersonation
Keys aren’t combined for data decryption until you provide Authentication credentials using fine-grained 2FA that requires a physical presence assertion, i.e. you touch a USB key after SSProtect Login, each time you access managed content. This inhibits remote access Impersonation (Account Hijacking). Note that the resulting OTP is offloaded to KODiAC for Authentication.

Continuous, In-Use Protection in Native Software
Meantime, the host isolates the resulting plaintext then passes results to the managing application you’ve chosen to use. It sees native plaintext, however SSProtect blocks others from accessing this content. That means attackers lying in wait can’t simply steal decrypted data while you’re using it – they now have to breach the application itself, find shortcomings in our implementation, or breach both the host and KODiAC Cloud Services at the same time. Completely different game.

Response and Recovery Facilities
But even still, data breaches and security events disrupt operations, and we need a complete solution capable of managing sensitive data throughout the entire lifecycle of today’s dynamics. For that reason, we layered Response and Recovery controls on top of this Foundation, providing IT and Security Administrators with the capacity to maintain Continuity during and after a breach.

SSProtect/ KODiAC: A Cryptosystem for Effective, Easy-to-use Host Data Protection 
Results are what you see today; A cryptosystem that’s easy to deploy, use, and administer, that’s effective in stopping today’s most advanced attacks, that limits data exposure while providing administrators with the tools necessary to quickly respond and recover – all with minimal end-user disruption and ongoing application/ infrastructure flexibility.

Is this enough to justify a shift in spending priority, given over 50% of the most significant 2020 breaches end up heisting host data?

Basic SSProtect Deployment

Before we explain how the software helps with Security Events and Incident Response, let’s look at what it takes to use.

Add the 7.5 MB SSProtect to your host computer images, or have end-users self-service install.
SSProtect is likely the smallest security control you’ll use, from both the standpoint of installation footprint and system resource utilization.

Provision SSProtect Accounts and 2FA USB Tokens for those who create and use sensitive content.
You can do this manually, or you can script it using our :Expand programmatic i/face along w/ Directory Services you use. This can be done in batches or as part of your onboarding/ offboarding automation.

Automate protection into your workflows using :Expand, and/ or host-based data classification utilities.
Use :Expand to integrate automatic protection for documents dropped into a SharePoint Workspace, or set :Email Policy to automatically protect attachments when emailing authorized SSProtect Users.

Manually protect new/ plaintext content with two mouse clicks.
Subsequent workflows maintain protection – removing managed assets from SSProtect requires Policy permission and specific action that is of course audited. You’ll see this in Reports and also when executing :Respond Objective Disclosure Risk analysis.

Use :Email to protect Outlook message content, tracking threads beyond what Outlook does.
:Email uses a host-based add-in inside of Outlook as a data proxy to the :Foundation Client carrying out protections coordinated wtih KODIAC. While other email encryption applications have been challenged with stability, we’ve only made two changes to :Email in the past couple years, specific to the Office changes that supported multiple monitors. No server-side Exchange integration is required – and in fact, SSProtect can manage messages from any email service provider, not just Exchange.

Increase end-user productivity with :Recover, seamlessly storing secured Versions in the cloud for recall.
Plaintext is not accessible to the Cloud Service Provider, and end-users can peruse their own Archive and Restore any managed Version instance they need with a couple mouse clicks (or using automated integration with :Expand and other facilities).

Use and share protected content just as you would plaintext content.
SSProtect integrates with existing workflows, applications, and infrastructure to simplify end-user access. Peer data sharing is built-in, so protections don’t require end-users to, “encrypt to a group”. Privileged Users manage Policy for Third Party Trust associations. Appoint team members or central IT as Policy makers – or both.

SSProtect is simple to deploy, use, and administer.
Installation is simple, use of managed content remains almost the same as unmanaged content (provide 2FA credentials), and you get continuous protection, detailed and certain Auditing, built-in secured data storage (:Recover), and powerful Incident Response and Recovery capabilities (:xRecovery and :Respond), without sacrificing application or infrastructure flexibility, today and tomorrow.

SSProtect/ KODiAC and Security Dynamics

What happens when you encounter a Security Event using SSProtect? Here are some common cases.

A user and his/ her laptop is breached. He/ she comes into the corporate office, hands it to IT, and gets a replacement.
When you install SSProtect on the new computer then Login with existing credentials, with :Recover the software will recognize that your Working Set of managed content is not present. This results in a prompt to Replicate secured managed content locally. This takes a few seconds or a few minutes, depending on the amount of content – then you’re ready to go. This can be automated with your imaging process or carried out by the end-user. Continuity maintained.

Your Organization is hit by Ransomware, and several users note they can’t get to their data.
With SSProtect, overwriting managed content on a host computer doesn’t affect :Recover content stored in the cloud – all updates require full authentication and get handled seamlessly. As such, with :Recover, end-users can peruse their Archive of managed content and manually Restore the latest Version – or any other managed Version – then continue with proper data Integrity.

For more widespread impact, when using :Respond, Privileged SSProtect Users can dispatch Remediation. For each managed SSProtect User, this analyzes their Working Sets and compares cryptographic Integrity with the expected :Recover results, saving corrupted content but Restoring the last known good Version for ongoing use. The Summary Report shows where and when content was corrupted, giving you a pervasive view of where Ransomware affected host computers.

This avoids the need to pay a ransom to access your data, and also avoids Doxing threats for public disclosure – unless of course the attackers managed to breach DefiniSec’s KODiAC Cloud Service layers. Otherwise, they won’t have your data, and public disclosure threats are meaningless.

The FBI calls to inform you that an advanced, targeted attack has been carried out on your Organization months ago.
You work with the FBI to determine when and how the attackers gained entry into your network. Your Board wants to know – how bad is it? With :Respond, privileged SSProtect Users can generate an Objective Disclosure Risk Report that shows you what has been affected, where, and to what extent. This combines the power of KODiAC Cloud Cryptographic Offloading together with cloud-generated Audit details to show you what maintained theoretical protection, what was exposed, where by whom for how long, how and to what extent. This is the worst-case scenario, in a Report, available within minutes. You can, from there, prioritize further Incident Response tasks while avoiding the expense and disruption of time-consuming investigation that often falls short of providing Definitive insight. This can costs hundreds of thousands of dollars and take weeks – now, you simply generate a Report then communicate details with confidence.

One of your partners is hit by a nasty attacker, losing significant data.
Content you’ve shared, in SSProtect’d form, remains protected even when being utilized. With :Respond, you can again generate an Objective Disclosure Risk Report to see how your data was affected, over time, and determine what may have been put at risk. Remember, simple offloading while content is in-use doesn’t work, so attackers have to be a bit more savvy, stealing content from the Application or breaching DefiniSec’s KODiAC Cloud Services. In general, lacking protections in other networks won’t always affect SSProtect’d content. This is a huge advantage for those sharing sensitive data with other Users, given breaches sometimes occur through partners.

A rogue employee is terminated, and he throws his laptop into the ocean.
When using :Recover, content cannot be deleted by end-users, even when removed locally or physically destroyed. With :xRecovery, you can request a secured offline Archive of all end-user content, choosing the last Version or acquiring every managed Version over time. You can of course use this content and distribute it to others, and future work will allow you to, “transfer” a previous employee’s content to other Users. Either way, the content your employees created and/ or worked with, that your company owns, is not destroyed.

SSProtect was designed not only to maintain protections in the face of advanced attacks, but also provide the capabilities necessary to Respond to complex security events, with certainty.  This helps maintain operational continuity during and after an attack, providing full data lifecycle protection for sensitive application data and email content.

Practical SSProtect Application

Addressing shortcomings in traditional host data encryption goes well beyond what we’ve discussed here. The devil is in the details, and insight requires significant expertise to extrapolate real-world impact. So instead of trying to enumerate technical details and explain their significance, we thought it best to talk about some of the things we can do, which better illustrate how and where we’ve addressed gaps.

Legal Document Exchange
Law firms have been reticent to use data encryption only because they have so many clients, so many disparate systems, and so many different applications. Few solutions have the resources to custom-integrate through these changing dynamics. But because SSProtect is truly application-independent, and due to the way data storage and data access permissions can be decoupled (think long-term storage requirements), we now have a viable consideration capable of extending the security of existing sync and sharing solutions without precluding further secured access in various host-based application software packages.

Accounting Systems
Accountants face many of the same challenges law firms face – disparate systems, document automation, and long-term storage requirements. The ability for SSProtect to work, seamlessly, with different aspects of the workflow – while also supporting intimate workflow integration – allows Accountants to extend protections to sensitive material exchanged between clients and their associates, then maintain protections while information is being utilized.

Insurance Data Formatting
We’ve encountered a number of small companies that engage in translating insurance data from one file format to another, as the industry moves from older systems to new, more common technologies used in desktop computing environments. This puts sensitive third-party data in the hands of people working at home, which needs to be protected. Application-independent and flexible licensing support these needs, allowing document automation and scripting to translate materials without exposing plaintext on host computers in home networks that are easy to breach.

Life Sciences Contract Research Data Partitioning
Life Science companies often contract scientists to perform research, and many of these scientists contract out to several different vendors over time. What happens if a scientist accidentally exposes the wrong content to the wrong vendor? This delivers sensitive Intellectual Property to a direct competitor.

This won’t happen if content is protected with SSProtect. Use flexible Licensing to assign your scientist to your SSProtect Organization. Content shared to unauthorized users is not accessible, making these types of mistakes almost completely meaningless. When the scientist is inactive, re-use the License for other contract resources – and re-assign the License if/ when he/ she returns for another stint.

This also stops theft of Research data during Technology Transfer sessions. We’ve encountered more than one targeted attack where content is heisted from online conference calls, realtime. With SSProtect, it’s virtually impossible for the attacker to recover plaintext this way. Given the number of cases where targeted attackers have gone after COVID research…

Medical Image Data
Medical images are sometimes burned to CDs and delivered to customers, in plaintext format. Disclosing this online is not possible, given FDA requirements. With SSProtect, you can however utilize Catalogs to protect image data with very little impact to access times. This is critical when scrolling through MRI images in application software – and requires compatbility with any of the large number of viewing applications that are available. In our experience, we have been able to make nearly 300 MB of images across 250+ files accessible with only a few seconds of initial load delay (and remember, while maintining in-use isolation). This opens the door to image delivery using more modern facilities while protecting content on patient computers and shared medical hosts as well.

Medical Data on Shared Host Computers
In hospitals, medical information is stored on shared-use computers, however different staff has no need to access content from patients they aren’t managing. This happens with nursing stations, and we’ve observed situations where prominent folks have been admitted and unauthorized medical staff have accessed shared computers to look at detailed medical records. Were they taken and sold to the National Enquirer? With SSProtect, only authorized team-specific resources would have access to content on the shared host, and access attempts would be securely audited. This limits liabilities for those managing these records.

Front Page News via Email
Email protection can help mitigate threats of exposing Executive discussion to the public domain (doxxing). This is more than a trivial concern, and inhibits productive discourse when two parties can’t connect on the phone. It’s also reasonable to assume that voice communications have their own challenges, given securing audio and video is also a challenge with limited options. But by protecting email message content using 2FA, Executives can now exchange written information without worrying about disclosure – and also keep a record of their information sharing to support legal battles that may call credibility into question. 

Manage Sensitive Information Easily
Sensitive information, such as Password Databases and/ or SSH keys, can and is being protected by SSProtect. This can help prosecute Insiders who try to abuse these resources – and that threat alone is sometimes enough to stop someone. In fact, in our 70+ breaches, there is a specific case where an Insider utilized master keys to pull off a heist. This can be extensively limited with SSProtect, and as noted all access is audited by KODiAC Cloud Services by nature of the multi-party consent contract built into patented offloading techniques.

Maintain Geographic Storage Compliance w/ Replication Policies
SSProtect allows you to determine where cloud-stored :Recover content is replicated, avoiding regions that are off-limits in regulated industries or limited due to export controls (or simple common sense). You can also determine whether or not end-users can access content from outside their, “home” region as well, permitting connectivy to the in-region Data Center and allowing KODiAC to proxy data (when it’s not replicated in the remote region) and/ or preclude or require direct, remote connections to the home Data Center so stored content isn’t proxied. The choice is yours.

Summary

We can no longer afford to pretend attackers in our networks don’t have access to critical Intellectual Property or confidential information. This data can – and will – be used by Ransomware/ Doxxing operators or stolen by (and/ or sold to) nation-state adversaries who then pass the data on to government-controlled interests.

This is evident when we review the most significant breaches of 2020. And this is only based on what we know. Once an adversary gains access to your network, it can be very hard to remove them, and it’s not always clear what they take and continue to take.

For these reasons, companies can no longer afford to deprioritize spending for host-based data protections. And whether your looking to inhibit and/ or recover from Ransomware/ Doxxing, protect critical resources, or maintain obfuscation of email content, SSProtect may be the right choice for you. Designed from day 1 to offer effective protections with ease-of-use and Response/ Recovery facilities, you can start small and scale as your needs grow. If this seems viable for your needs, download the software and give it a try – for free.

Supplement: 2020 Breach Summary Data

The following includes the individual breaches we reviewed, taken from ZDNet.

Blue text refers to dynamics associated with application data files/ documents and/ or email content.
Orange text refers to either highly-sensitive document/ email content or relies on dynamics nation-states uses for the same purposes.

JANUARY; 2/6

– Travelex: Malware affecting systems, temporary service outage
– IRS Tax Refunds: $12M in fraudulent tax returns filed using PII from a data breach at a payroll company
– Manor Independent School District (Texas): Phishing scam to coerce employees into paying fake invoices; $2.3M in losses
– Wawa: POS Malware leading to exposure of 30M records w/ customers’ details then made available for sale online
– Microsoft: User analytics data from five servers accidentally available to the public Internet
– Medical marijuana: PII for 30,000 users available in a misconfigured Amazon S3 bucket

FEBRUARY; 3/6

– Estée Lauder: 440 million internal records and internal email messages were exposed due to middleware security failures
– Denmark’s government tax portal: Taxpayer ID for 1.26 million Danish citizens exposed (issues existed for 5 years)
– DOD DISA: Admitted to a data breach potentially compromising employee records (handles IT for the White House)
– UK Financial Conduct Authority (FCA): Released sensitive information of 1,600 consumers as part of an FOIA request (human err)
– Clearview: Clearview AI’s entire client list was stolen due to a software vulnerability
– General Electric: unauthorized access to email w/ sensitive information (supplier Canon Business Process Service)

MARCH; 3/8

– T-Mobile: A hacker gained access to employee email accounts, compromising data belonging to customers and employees
– Marriott: Cyberattacked via Account Hijacking where attackers accessed back-end systems, 5.2 million guests
– Whisper: The anonymous/ secret-sharing app exposed millions of users’ private profiles and data – DB without security controls
– UK Home Office: GDPR breached 100 times handling of the Home Office’s EU Settlement Scheme; inadvertent misuse of email
– SIM-swap hacking rings: Europol arrested SIM-swap hackers responsible for the theft of over €3 million
– Virgin Media: The company exposed the data of 900,000 users through an open marketing database
– Advantage/ Argus Capital: 425GB in sensitive financial company documents public via misconfigured S3 bucket (MCA Wizard app)
– NutriBullet: Magecart attack, with payment card skimming code infecting the firm’s e-commerce store

APRIL; 1/3

– US Small Business Administration (SBA): Up to 8,000 emergency loan applicants’ data exposed in PII leak due to portal issues
– Nintendo: 160,000 users were affected by a mass account hijacking campaign due to faulty Authentication
– Email.it: The Italian email provider was breached, disclosing the data of 600,000 users sold on the Dark Web

MAY; 3/7

– EasyJet: A data breach exposed data for nine million customers, which included financial data, due to a sophisticated intrusion
– Blackbaud: CSP hit w/ Ransomware, paid to stop encryption, then paid to stop disclosure
– Mitsubishi: 0-day breach in Trend Micro, 8,000 customers and 200MB of files speciifc to missile design data
– Toll Group: The logistics giant was hit by a second ransomware attack in three months, MailTo/ Netwalker
– Pakistani mobile users: Data belonging to 44 million Pakistani mobile users was leaked online, source of infiltration unknown
– Illinois: Illinois Department of Employment Security (IDES) leaked those applying for unemployment benefits; defect-based
– Wishbone: 40 million user records were published online by the ShinyHunters hacking group, seemingly breached w/ weak auth

JUNE

– Amtrak: Customer PII and some Amtrak Guest Rewards account data leaked, seemingly using brute-force pwd attacks (public pwds)
– University of California SF: Paid a $1.14 million ransom to save COVID-19 research; Malware/ Ransomware
– AWS: AWS mitigated a massive 2.3 Tbps DDoS attack
– Postbank: A rogue employee at the South African bank obtained a master key and stole $3.2 million
– NASA: The DopplePaymer ransomware gang claimed to have breached a NASA IT contractor’s networks, accessing files
– Claire’s: The accessories company fell prey to a card-skimming Magecart infection

JULY

– CouchSurfing: 17 million records belonging to CouchSurfing were found on an underground forum; accidentally disclosed backup?
– University of York: Data breach exposing staff/ studen records from Blackbaud CSP Ransomware event
– MyCastingFile: A US casting platform for actors exposed the PII of 260,000 users due to an exposed GCP database
– SigRed: Microsoft patched 2003-2019 DNS buffer overflow exploitable for Domain Admin privs
– MGM Resorts: A hacker put the records of 142 million MGM guests online for sale, claiming third-party breach of DataViper
– V Shred: The PII of 99,000 customers and trainers exposed from open S3 bucket
– BlueLeaks: Law enforcement closed down a portal used to host 269 GB in stolen files belonging to US police departments
– EDP: The energy provider confirmed a Ragnar Locker ransomware incident. Over 10TB in business records were apparently stolen
– MongoDB: A hacker attempted to ransom 23,000 MongoDB databases found online, unprotected

AUGUST

– Cisco: A former engineer pleaded guilty to deleting VMs and affecting WebEx Teams accounts, costing $2.4M to fix
– Canon: The photography giant was struck by ransomware gang Maze
– LG, Xerox: Maze struck, publishing 50.2 GB/ 25.8 GB of data (respectively) after failing to secure payments
– Intel: 20GB of sensitive, corporate data belonging to Intel was published online, possibly shared w/ public service by mistake
– The Ritz, London: Fraudsters posed as staff in a clever phishing scam against Ritz clients
– Freepik: Breach impacting 8.3 million users, seemingly through Web Auth (federated) failure
– University of Utah: Paid $457,000 ransom to stop Ransomware group from publishing student information in heisted files 
– Experian, South Africa: Handed over 24 million customer records to fraudster posing as legit user
– Carnival: The cruise operator disclosed a ransomware attack and subsequent data breach

SEPTEMBER

– Nevada: A Nevada school refused to pay Ransom, student data published online
– German hospital: A patient died being redirected away from a hospital suffering an active ransomware attack
– Belarus law enforcement: The private information of 1,000 high-ranking police officers was leaked, seemingly in file/ .CSV format
– NS8: The CEO of the cyberfraud startup was accused of defrauding investors out of $123 million, manipulating data
– Satellites: Iranian hackers were charged for compromising US satellites using fake email identities and social engineering
– Cerberus: The developers of the Cerberus banking Trojan released the malware’s source code after failing to sell it privately
– BancoEstado: The Chilean bank was forced to close down branches due to REvil ransomware

OCTOBER

– Barnes & Noble: Believed to be the ransomware group Egregor, stolen records were leaked online as proof
– UN IMO: International Maritime Organization (UN IMO) disclosed a (targeted/ sophisticated) security breach affecting public systems
– Boom! Mobile: The telecom service provider became the victim of a Magecart card-skimming attack
– Google: Google said it mitigated a 2.54 Tbps DDoS attack, one of the largest ever recorded
– Dickey’s: POS from July 2019 to August 2020, with 3M users’ card details stolen/ posted online
– Ubisoft, Crytek: Sensitive information belonging to the gaming giants was released online by the Egregor ransomware gang
– Amazon: An Amazon finance manager and family were charged for a $1.4 million insider trading scam

NOVEMBER

– Manchester United: Manchester United football club said it was investigating a security incident impacting internal systems
– Vertafore: 27.7 million Texas drivers’ PII was compromised due to “human error”
– Campari: Campari was knocked offline following a RagnarLocker ransomware attack
– $100 million botnet: Russian hacker jailed for botnet that parsed log data for creds/ PII and drained $100M from victims
– Mashable: A hacker published a copy of a Mashable database online
– Capcom: Capcom became a victim of the RagnarLocker ransomware, disrupting email/ file servers
– Home Depot: The US retailer agreed to a $17.5 million settlement after a PoS malware infection impacted millions of shoppers
– Embraer: The Brazilian aerospace company was struck by a cyberattack leading to data theft

DECEMBER

– Leonardo SpA: Italian police arrested insider(s) that stole 10GB in sensitive corporate/ military data
– Flight Centre: 2017 hackathon accidentally leaked credit card records/ passport numbers for 7,000 people to participants
– Vancouver TransLink: An Egregor(?) ransomware attack disrupted Compass metro cards /ticketing kiosks for two days
– Absa (South Africa): Believed a rogue employee responsible for leak of customer PII
– HMRC: The UK tax office was branded ‘incompetent’ due to 11 serious data breaches impacting close to 24,000 people
– FireEye: FireEye disclosed suspected nation-state cyberattack where penetration tools were stolen